Home – Strategies for Managing Risk from the GFMI Conference

Strategies for Managing Risk from the GFMI Conference

Posted on 03-02-2016 by Ulyana Androsova

 Just a few weeks ago, the GFMI conference brought together experts and leaders from across the financial services industry to share their strategies and insights in managing risk. Naturally, due diligence and third-party risk featured heavily in discussions, but in a reflection of the complex environment in which financial services organizations operate, fourth-party risk was, perhaps, one of the hottest topics. Why? Just as pressure has ramped up on other industries to thoroughly vet their entire supply chains down to the raw materials to bring forced labor into the light, pressure is growing for financial organizations to identify risk in outsourced services.

 What’s Driving the Focus on Fourth-Party Risk?

One interesting presentation on the topic of fourth-party risk during the GFMI Conference came from Philip Edwards, Chief Procurement Office at Synovus Financial Corp. He pointed out that while regulators apply a broad definition to third-party risk, in recent years they have increasingly used language suggestive of fourth parties. In particular, the guidance from the Office of the Comptroller of the Currency (OCC) changed significantly. The current 2013-29 guidance uses the terms ‘subcontractor’ or ‘subcontracting’ 34 times while the same terms only appeared four times in the 2011-47 guidance.  And the OCC is not the only regulatory body highlighting the necessity to conduct more far-reaching due diligence to manage risk. The FDIC has indicated that “Contracting for a technology solution by using one lead provider may lessen [institutions direct involvement]…, but it does not diminish the responsibility for monitoring … subcontractors through the primary service provider relationship.”

 Moreover, the high-profile data security breaches that have taken place in recent years only emphasize the importance of knowing who your third-party vendors use as sub-contractors. A few years ago, in an interview with FierceFinanceIT , Albert Belman, principal for third-party risk management practice at Booz Allen Hamilton said, “What has happened for services providers, very specifically in financial services, is the recognition that you need to have a data supply chain. If you are going to allow third parties to access your data, and they are going to, in turn, allow access to other third parties, you are going to need to have a full line of sight and visibility into that.” Are you just a cyber-breach away from a financial and reputational disaster caused by a third or even fourth party subcontractors and agents?  What other risks may these outsourced relationships pose?

 Where Should You Start in Addressing Fourth-Party Risk?

Of course, conducting due diligence on how organizations can incorporate fourth-party risk management in their due-diligence process.  Here are some steps recommended in the presentation:

  1. Determine the criteria you will use to define sub-contractors and agents beyond third parties. Not all sub-contractors offer the same level of risk. Just as you conduct a risk assessment to determine which third parties are subjected to enhanced due diligence, you need to determine which fourth parties constitute the greatest risk to your organization. High risk, for example, might be cloud-storage vendors sub-contracted by third parties since a cyber-attack could ultimately put your customers—and your organization—at risk.
  2.  Identify “concentration risks” for multi-service and geographical categories. Even if you consider some fourth parties to be low risk, you need to also consider situations in which that risk could quickly escalate. A landscaping company contracted by a third-party property management vendor, for example, might pose a risk if it were to fail during peak times of year.
  3. Expand your financial, industry and news monitoring. In today’s always-on media landscape, keeping tabs on what’s being said enables you to keep an eye out for red flags and respond proactively at the first sign of risk.

Are you making changes in your own due-diligence strategy to address fourth-party risk?  Leave a comment below to let us know how you’re doing it.


3 Ways to Apply This Information Now

  1. Explore third-party risk further in our blog post on “Why Mapping Out a Due-Diligence Process is Critical for Financial Services Companies.”
  2. Check out our solution for conducting due diligence on individuals and organizations.
  3. Share this blog on LinkedIn to keep the dialogue going with your colleagues and contacts. 


Posted on : 16 Mar 2016 6:48 PM

Minimizing Risk in the Financial Services Industry Demands you Conduct Due Diligence Beyond Third Parties:  Addressing Fourth Party Risk

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close